A large-scale extortion scheme targeting Coinbase users has exposed personal information of nearly 70,000 customers, the US-based cryptocurrency exchange confirmed in a data breach notification.
Coinbase revealed that the breach, which it attributed to insider misconduct at an overseas customer support center, occurred on December 26, 2024, but went undetected until May 11, 2025 — the day the attackers demanded a $20 million ransom in exchange for not releasing the stolen data.
Rather than pay the ransom, Coinbase has offered a $20 million reward for information leading to the identification and arrest of those behind the attack. The breach affected 69,461 users, with the compromised data reportedly fueling a months-long phishing campaign that netted tens of millions of dollars from targeted customers.
Taylor Monahan, head of security at MetaMask, disputed the timeline presented by Coinbase, suggesting that attackers had insider access for much longer than acknowledged.
“Threat actors had ongoing access via multiple insiders over a prolonged period of time,” Monahan wrote on X, citing a May 16 article by Cryptoforensic Investigators.
The investigative report alleged that hackers began using stolen information months before the official breach date, successfully targeting high-net-worth Coinbase users through coordinated phishing, social engineering, and vishing scams. One victim reportedly lost 400 BTC — valued at over $27 million — in a single incident.
Cryptoforensic Investigators estimate that the breach may have begun as far back as mid-2024, with attackers gaining increasing access and sophistication in targeting victims.
